[LilBytes]

If they had root access to an AWS account, this is exactly what you would expect.

If there's a cyber security firm that's been hired to provide analysis they're going to be combing through egress traffic to find anything suspicious. But, egress traffic is difficult and expensive to analyse.

Worse yet, the attackers could easily just sit there and not use their attack methods for a little while and start up their compromises in weeks or months. You couldn't be certain nothing's still there till you ripped the AWS resources out and replaced them.